altinity-expert-clickhouse-connection
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill directs the agent to run the
clickhouse-clientbinary. This capability allows the agent to execute shell commands. While intended for diagnostics, there are no instructions to sanitize the path or arguments if they are influenced by user input or database results. - PROMPT_INJECTION (HIGH): (Indirect) The skill has a high-risk surface for Indirect Prompt Injection because it ingests external data to make execution decisions.
- Ingestion points: Data enters the agent context from
system.clusters,system.asynchronous_metrics, and table schemas viaDESCRIBE TABLE(SKILL.md). - Boundary markers: No delimiters or instructions to ignore embedded commands in the database output are present.
- Capability inventory: The agent can execute arbitrary SQL via MCP or shell commands via
clickhouse-client(SKILL.md). - Sanitization: There is no evidence of sanitization; the skill explicitly instructs the agent to replace placeholders like
'{cluster}'with strings retrieved directly from the database, which could be exploited if an attacker controls the database metadata.
Recommendations
- AI detected serious security threats
Audit Metadata